SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server Comes With Code That Allows Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004008
SecurityTracker URL:  http://securitytracker.com/id/1004008
CVE Reference:   CVE-2002-0074, CVE-2002-0075, CVE-2002-0148   (Links to External Site)
Updated:  Dec 3 2003
Original Entry Date:  Apr 10 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0, 5.0, 5.1
Description:   Several cross-site scripting vulnerabilities were reported in Microsoft's Internet Information Server (IIS) web server. A remote user can conduct cross-site scripting attachks against other IIS site users to steal their cookies.

A remote user can send a special request that contains a malicious script to a target (victim) user. When the URL is loaded by the target user's browser, the code will be executed by the browser. The code will appear to originate from the IIS-based web sites and, as a result, will run in the security context of the IIS-based web site. The code will be able to steal the target user's cookies and other personali information associated with that IIS-based web site.

According to the vendor, there are three vulnerable areas:

1) A search facility in IIS 5.0 and 5.1 only that allows IIS help files to be searched.

2) A redirect response (indicating that a requested web page has been moved to a new location) in IIS 4.0, 5.0, and 5.1 when used with a browser other than Internet Explorer.

3) Several error message pages in IIS 4.0 and 5.0.


A demonstration exploit is provided for the search engine flaw. To check your system enter the following in your search engine field :

<img src=javascript:alert(document.domain)>

If a box pops up showing your domain name you're vulnerable.

Microsoft has assigned this vulnerability a 'Moderate' severity level for Client Systems.

The vendor credits the following for reporting this information:

1) Joe Smith (jsm1th@hotmail.com) and zenomorph (admin@cgisecurity.com) of http:// www.cgisecurity.com) for reporting the cross-site scripting vulnerability in the IIS Help File search facility.

2) Keigo Yamazaki of the LAC SNS Team (http://www.lac.co.jp/security/) for reporting the cross-site scripting vulnerability affecting redirect response messages.

3) Thor Larholm of Jubii A/S for reporting the cross-site scripting vulnerability affecting HTTP error pages.

Impact:   A remote user can conduct a cross-site scripting atttack against other IIS users, stealing their cookies and other personal information associated with the IIS-based web site.
Solution:   The vendor has released a fix:

For Microsoft IIS 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

For Microsoft IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

For Microsoft IIS 5.1:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

The IIS 4.0 patch can be installed on systems running Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on systems running Windows 2000 SP1 or SP2. The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold.

Microsoft notes that the IIS 5.0 fixes will be included in Windows 2000 SP3 and the IIS 5.1 fixes will be included in Windows XP SP1.

For IIS 4.0 and 5.0, this patch reportedly supersedes the one previously provided in Microsoft Security Bulletin MS01-044.

There is a very large list of 'caveats' associated with this patch. See the Vendor URL for the list.

The vendor will issue Microsoft Knowledge Base article Q319733 shortly, to be available on the Microsoft Online Support web site.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-018.asp (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Netware Web Search Engine, and Microsoft IIS Help File Search Facility


This is a multi-part message in MIME format.
--------------91FE0E4894640D79B16C9F25
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://www.cgisecurity.com/advisory/9.txt
--------------91FE0E4894640D79B16C9F25
Content-Type: text/plain; charset=us-ascii;
 name="9.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="9.txt"

                                  [ Cgi Security Advisory #9 ]
                                     admin@cgisecurity.com
               Netware Web Search Engine, and Microsoft IIS Help File Search Facility 
                                   Cross Site Scripting Holes



Both Found
December 2001

Public Release
April 2002

Vendors Contacted
December 3rd 2001

Scripts Effected: Netware Web Search, IIS
Cost: I dunno but they ain't free :)

Versions:

Novell:
Web Search 2.0, 2.0.1

Microsoft:
IIS 4.0 and 5.0

Vendors:
http://www.novell.com/products/websearch/
http://www.microsoft.com


1. Problem

These products are affected by a Cross Site Scripting hole. This hole may allow
an attacker to trick a user into thinking something the attacker wrote
actually came from the site that is effected. This involves some social 
engineering to a point but could possibly allow gathering of user information
and other types of fraud. The easiest way is to see if you're affected is to enter 
the following in your search engine field <img src=javascript:alert(document.domain)>. 
If a box pops showing your domain name you're vulnerable.


2. Fixes

The vendors where notified of the problem. Check the pages below
for patching/upgrade information.


Novell fix information:
"Yes, the fix can be found at support.novell.com  downloads  It is part
of the NetWare 6 sp1 update." - Novell

Microsoft fix information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp


3. Additional

I swear these are my last Cross Site Scripting holes. I found the IIS
hole helping a friend with a pen test, and the novell hole 5 minutes
later. I only released this advisory because they are two large companies
that suffer the same problem, and I myself like to know if my software
has holes no matter how small they are.

Published to the Public April 2002
Copyright April 2002 Cgisecurity.com

--------------91FE0E4894640D79B16C9F25--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC